The present invention relates in general to security application management and, in particular, to a system and process for brokering a plurality of security applications using a modular framework in a distributed computing environment.
Information networks interconnecting a wide range of computational resources have become a mainstay of corporate enterprise computing environments. Typically, several host computer systems are interconnected internally over an intranetwork to which individual workstations and network resources are connected. These intranetworks, also known as local area networks (LANs), make legacy databases and information resources widely available for access and utilization throughout the corporation. These same corporate resources can also be interconnected to wide area networks (WANs), including public information internetworks such as the Internet, to enable internal users access to remote computational resources, such as the World Wide Web, and to allow outside users access to select corporate resources for the purpose of completing limited transactions or data transfer.
Most current internetworks and intranetworks are based on the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, xe2x80x9cTCP/IP Illustrated,xe2x80x9d Vol. 1, Ch. 1, Addison-Wesley (1994), the disclosure of which is incorporated herein by reference. Computer systems and network devices employing the TCP/IP suite implement a network protocol stack, which includes a hierarchically structured set of protocol layers. Each protocol layer performs a set of pre-defined functions as specified by the official TCP/IP standards set forth in applicable Requests for Comment (RFC).
The growth of distributed computing environments, particularly TCP/IP environments, has created an increased need for computer security, especially for protecting operating system and application software and stored data. A wide range of security applications are needed to ensure effective security. For example, firewalls and intrusion detection systems are necessary to combat would-be network intruders, the so-called xe2x80x9chackers,xe2x80x9d of the networking world. Similarly, antivirus scanning applications must be regularly executed and, equally importantly, updated, to detect and eradicate xe2x80x9cmalwarexe2x80x9d consisting of computer viruses, Trojan horses, and other forms of unauthorized content.
In addition to these forms of reactive security applications, proactive security applications are increasingly being adopted to prevent security breaches from happening. For instance, vulnerability scanners probe and identify potential security risks and concerns. Likewise, xe2x80x9choney potxe2x80x9d or decoy host systems create the illusion of a network of relatively unguarded, virtual hosts within which a would-be hacker can be tracked and identified.
While these types of security applications form a powerful arsenal of defensive and offensive security tools, configuring and managing these security tools is a time-consuming and complex task. Even within a given site, security policies may vary and require different settings depending upon the platform and organizational needs. Moreover, the time required to properly configure and maintain a network site grows substantially with each installed platform. For instance, a detection signature must be installed on each networked system for every newly-discovered computer virus. Installing these signatures alone can take a substantial amount of time. Finally, individual systems, particularly when left with open administrative permissions, can depart from the actual security policy in effect, thereby by-passing the security measures already in place and unwittingly placing the network in jeopardy.
On-going maintenance notwithstanding, defensive security applications typically generate logs of network events. In the same way, offensive security applications generate reports of vulnerabilities and similar findings. These logs and reports can be extremely voluminous, potentially to the point of data saturation. A single report for an average size corporate network can easily span several hundred pages, the bulk of which may never be read or used. Moreover, each security application tends to adopt a proprietary log or report format which duplicates reporting functionality through an application-specific approach. These proprietary approaches result in the duplication of efforts and waste needless computational resources.
Therefore, there is a need for an approach to providing a centralized management framework for security applications. Such an approach would preferably provide an integrated broker into which a variety of services, such as event analysis and reporting, could be flexibly installed for use by plurality of security applications.
There is a further need for a security application framework providing a common user interface for configuring and managing both local and remote security applications.
The present invention provides a system and process for interfacing and brokering security applications using a security management interface framework. A centralized broker is interfaced to a set of snap-in components in a layered, hierarchical structure. A root snap-in component provides the basic user interface and management infrastructure and is surrounded by top-level snap-in components which provide security application-independent services. The top-level snap-in components are surrounded by one or more layers of security application snap-in components. In addition, security applications running on client systems can be configured and managed through an agent communication snap-in service.
An embodiment of the present invention is a system and process for brokering a plurality of security applications using a centralized broker in a distributed computing environment. A centralized broker is executed on a designated system within the distributed computing environment. A set of snap-in components are provided with each performing a common management task sharable by a plurality of security applications. A console interface is exposed from the centralized broker. The console interface implements a plurality of browser methods which each define an browser function which can be invoked by each snap-in component. A set of snap-in interfaces are exposed from each snap-in component. Each snap-in interface implements a plurality of service methods which each define a user-interface function which can be invoked by the centralized broker. One or more security applications are brokered through the centralized broker. Each security application is interfaced to the centralized broker through the snap-in components. Each security application is managed by invoking at least one such browser method via the console interface. A plurality of the security applications are centrally serviced by invoking at least one such service method via at least one such snap-in interface.
In a further embodiment of the present invention, a namespace is provided as a snap-in component to the centralized broker for remotely configuring and managing security applications on remote client systems.
In a still further embodiment of the present invention, a hierarchically structured set of event databases can be associated with the centralized broker. Event data is cascaded from child event databases to a root event database for analysis and reporting.
Still other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is described embodiments of the invention by way of illustrating the best mode contemplated for carrying out the invention. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and the scope of the present invention. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.